{ "id": "0e691ea7-b7b2-4929-8487-c5342b1294f3", "created_at": "2026-04-06T00:12:22.640932Z", "updated_at": "2026-04-10T03:29:32.029599Z", "deleted_at": null, "sha1_hash": "6945a37b4b82776ef0c9d8b53da95e851803d6bb", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52453, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 13:08:47 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Speculoos\n Tool: Speculoos\nNames Speculoos\nCategory Malware\nType Backdoor, Info stealer, Exfiltration\nDescription\n(Palo Alto) We identified a total of five samples from our dataset, all of which were\napproximately the same file size, but contain minute differences amongst the sample set. The\nsubtle differences indicate that they likely originated from the same developer and were either\nrecompiled or patched. As described by FireEye, Speculoos was delivered by exploiting CVE-2019-19781, a vulnerability affecting the Citrix Application Delivery Controller, Citrix\nGateway, and Citrix SD-WAN WANOP appliances that allowed an adversary to remotely\nexecute arbitrary commands.\nBased on the spread of industries and regions, in addition to the timing of the vulnerability\ndisclosure, we believe this campaign may have been more opportunistic in nature compared to\nthe highly targeted attack campaigns that are often associated with these types of adversaries.\nHowever, considering the exploitation of the vulnerability in conjunction with delivery of a\nbackdoor specifically designed to execute on the associated FreeBSD operating system\nindicates the adversary was absolutely targeting the affected devices.\nInformation\nMalpedia Last change to this tool card: 24 April 2021\nDownload this tool card in JSON format\nAll groups using tool Speculoos\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0e4ffad1-f5b0-4e3d-af45-c3b017566c1e\nPage 1 of 2\n\nChanged Name Country Observed\r\nAPT groups\r\n  APT 41 2012-Jul 2025\r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0e4ffad1-f5b0-4e3d-af45-c3b017566c1e\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0e4ffad1-f5b0-4e3d-af45-c3b017566c1e\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=0e4ffad1-f5b0-4e3d-af45-c3b017566c1e" ], "report_names": [ "listgroups.cgi?u=0e4ffad1-f5b0-4e3d-af45-c3b017566c1e" ], "threat_actors": [ { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434342, "ts_updated_at": 1775791772, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6945a37b4b82776ef0c9d8b53da95e851803d6bb.pdf", "text": "https://archive.orkl.eu/6945a37b4b82776ef0c9d8b53da95e851803d6bb.txt", "img": "https://archive.orkl.eu/6945a37b4b82776ef0c9d8b53da95e851803d6bb.jpg" } }